registry  /  @monotykamary/localterm  /  2.41.0

@monotykamary/localterm@2.41.0

⚠ Under review

A browser-based terminal: one browser tab is one PTY session. Friendly URL, persistent xterm.js front-end, hono + node-pty back-end.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 78 file(s), 4.17 MB of source, external domains: base-ui.com, fonts.googleapis.com, github.com, json-schema.org, login.tailscale.com, react.dev, simplewebauthn.dev, tailscale.com, www.apple.com, www.w3.org

Source & flagged code

7 flagged · loading source
dist/utils/spawn-daemon.jsView file
1import { spawn } from "node:child_process"; L2: import { DAEMON_CHILD_ENV_FLAG, RESTART_DAEMON_ENV_FLAG } from "../constants.js";
High
Child Process

Package source references child process execution.

dist/utils/spawn-daemon.jsView on unpkg · L1
dist/commands/install.jsView file
104Environment=PATH=${pathEnv} L105: ExecStartPre=/bin/sh -c 'command -v tailscale >/dev/null 2>&1 || exit 0; for i in $(seq 1 ${input.tailscaleBootWaitSeconds}); do tailscale status --json >/dev/null 2>&1 && exit 0; ... L106: ExecStart=${input.execPath} ${input.cliEntry} start --foreground --port ${input.port} --host ${input.host}
High
Shell

Package source references shell execution.

dist/commands/install.jsView on unpkg · L104
terminal/assets/ruby-C1LRcWtV.jsView file
1import e from"./shellscript-CLZ0U2zV.js";import{t}from"./c-CPLfmtrm.js";import n from"./sql-BsFa4tDR.js";import r from"./cpp-D8w6wJsT.js";import i from"./css-BsVw1vtW.js";import a ... L2: //# sourceMappingURL=ruby-C1LRcWtV.js.map
Medium
Dynamic Require

Package source references dynamic require/import behavior.

terminal/assets/ruby-C1LRcWtV.jsView on unpkg · L1
dist/utils/shell-completions.jsView file
3import path from "node:path"; L4: import { execFile } from "node:child_process"; L5: import { promisify } from "node:util"; ... L12: case "bash": L13: return ".bashrc"; L14: case "zsh": ... L23: const relative = rcRelativePath(shell); L24: return relative ? path.join(os.homedir(), relative) : null; L25: }; ... L99: try { L100: const { stdout } = await execFileAsync("zsh", ["-c", "print -l $fpath"], { timeout: 3000 }); L101: return stdout
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/utils/shell-completions.jsView on unpkg · L3
terminal/assets/index-DRs_-VsE.jsView file
122contains invisible/control Unicode U+2060 (word joiner) `):e}var kL=null,AL;function jL(){return kL===null&&(kL=new Intl.Segmenter(AL,{granularity:`word`})),kL}var ML=/\p{Script=Arabic}/u,NL=/\p{M}/u,PL=/\p{Nd}/u;function FL(e){return ML.test(e)}function IL(e){return e>=19968&&e<=40959||e>=13312
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

terminal/assets/index-DRs_-VsE.jsView on unpkg · L122
270XID_Continue XIDC L271: XID_Start XIDS`.split(/\s/).map(e=>[aY(e),e])),$Y=new Map([[`s`,LY(383)],[LY(383),`s`]]),eX=new Map([[LY(223),LY(7838)],[LY(107),LY(8490)],[LY(229),LY(8491)],[LY(969),LY(8486)]]),t... L272: ]`:`(?>\r L273: ?|[ L274: \v\f…\u2028\u2029])`),t));else if(c===`posix`)if(!i&&(u===`graph`||u===`print`)){if(r===`strict`)throw Error(`POSIX class "${u}" requires min target ES2024 or non-strict accuracy`)... L275: `),gZ=(e,t)=>{let n=uZ.get(e);if(n&&n.contentKey===hZ(t))return n.result},_Z=async(e,t,n)=>{let r=gZ(e,t);if(r!==void 0)return r;let i=oZ[n];if(!i)return uZ.set(e,{contentKey:hZ(t)... L276: `),o=r.codeToTokens(a,{lang:n,theme:lZ}).tokens.map(e=>({tokens:e.map(e=>({content:e.content,color:e.color??``,fontStyle:e.fontStyle??0}))}));return uZ.set(e,{contentKey:hZ(t),resu... L277: `);a.length>0&&a[a.length-1]===``&&a.pop();for(let e of a){let a=KZ.exec(e);if(a){r=Number.parseInt(a[1],10),i=Number.parseInt(a[2],10),n={header:e,lines:[]},t.push(n);continue}if(... ... L279: `)},ge[gt]=()=>{let e=n.querySelector(`.xterm-screen`);if(!(e instanceof HTMLElement))return null;let t=e.getBoundingClientRect();return{left:t.left,top:t.top,cellWidth:K.cols>0?t.... L280:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

terminal/assets/index-DRs_-VsE.jsView on unpkg · L270
terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2View file
path = terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2 kind = high_entropy_blob sizeBytes = 15264 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

terminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2View on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalTrojan Source Unicodeterminal/assets/index-DRs_-VsE.js
HighChild Processdist/utils/spawn-daemon.js
HighShelldist/commands/install.js
HighCommand Output Exfiltrationterminal/assets/index-DRs_-VsE.js
HighShips High Entropy Blobterminal/assets/geist-mono-latin-600-normal-DQQBcVN0.woff2
MediumDynamic Requireterminal/assets/ruby-C1LRcWtV.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/utils/shell-completions.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings